Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export results from KV lookup file in Lookup editor?

smanojkumar
Contributor
‎02-21-2023 04:01 AM

Hi There,

   I would like to export the results of kv lookup file in a lookup editor, but the results after exporting is only 50k records, even the original results is 80k records, How to download the entire results in a single file?

Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2023 05:11 AM

Hi @smanojkumar,

are you trying to export rows from a KV Store lookup using the inputlookup command or the Lookup Editor App?

Inputllokup has the limit of 50,000 results, but the export from the Lookup Editor shouldn't have this limit.

Ciao.

Giuseppe

0 Karma
Reply

smanojkumar
Contributor
‎02-22-2023 11:40 PM

I'm trying to use lookup Editor app.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-22-2023 11:46 PM

Hi @smanojkumar,

at first see if the solution from @woodcock solves your requirement https://community.splunk.com/t5/Splunk-Search/How-can-I-escape-the-50K-subsearch-limit-while-linking...

otherwise, you could modify limits.conf:

[searchresults]
maxresultrows = 100000
[stats]
maxresultrows = 100000
[top]
maxresultrows = 100000

Ciao.

Giuseppe

0 Karma
Reply

smanojkumar
Contributor
‎02-27-2023 03:26 AM
Actually, i'm having same configuration in test environment but the lookup editor is working fine, but it is not working in dev environment, any other things or ways to increase the export records count.
0 Karma
Reply

smanojkumar
Contributor
‎03-02-2023 01:16 AM

Hi @gcusello ,

  I'm curious to know about this,

 

Thanks!

0 Karma
Reply

smanojkumar
Contributor
‎02-23-2023 12:21 AM

We need to modify in all these 3 places in limits.config file? [searchresults] maxresultrows = 100000 [stats] maxresultrows = 100000 [top] maxresultrows = 100000

0 Karma
Reply

smanojkumar
Contributor
‎02-27-2023 11:37 PM

Hi @gcusello ,

  We are having same configuration in test environment, but it's working fine, not in dev environment. Any other ways are there @gcusello ?

1. test environment

smanojkumar_0-1677569780162.png

2. Dev environment

smanojkumar_1-1677569806261.png

 

0 Karma
Reply

smanojkumar
Contributor
‎03-02-2023 12:53 AM

Hi @gcusello ,

   Any other way other than this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 11:35 PM

Hi @smanojkumar,

yes, I used 100000 in my example, but if you have less rown, you can use a minor number.

Ciao.

Giuseppe

0 Karma
Reply

smanojkumar
Contributor
‎03-02-2023 11:53 PM

Hi @gcusello ,

   I had changed those limits to 500000, even I can't export more than 50k rows.

 

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...